04.01Asstated inSection01.02,theuniversity’sinformationresourcesarestrategicandvital assetsthatmustbeavailablewhenneededandprotectedcommensuratewiththeirvalue.In
thispolicy,theuniversity hasidentifiedspecificactionsrequiredtoachievetheseobjectives.
The university hasalsoarticulatedtheowner,custodian,anduserrolestoclearlydistinguish thepartiesresponsibleandaccountablefortakingthoseactions,
in consultation with the IRM and ISO.

c.Confidential(Level 3)informationis definedbyTAC202tobe“informationthatmust be protected
from unauthorized disclosure or public release based on state or federal law or
other legal agreement”such astheTPIAandtheFERPA.

*h.Confidential
or sensitive information shall be retained only as long as the information is needed
to conduct university business. It is the responsibility of owners, custodians,
and employee users to perform periodic reviews to ensure confidential and
sensitive information stored on university information resources (e.g.,
desktops, laptops, portable drives, and servers) is removed when no longer
needed. Information Technology provides data loss prevention software to assist
in the identification, encryption, or removal of confidential and sensitive
information on all university workstations.

*j.All
workstation computing devices that do not have an approved exemption are
required to employ whole disk encryption regardless of their intended use or
the data stored on them to protect against inadvertent data disclosure. Please
refer to the Computer Encryption Program website for
information on computer encryption best practices.

*k. ITAC, in consultation with the ISO, will
provide and support whole disk encryption for all university workstations.
Departments who do not have a technical support person can request assistance
from ITAC with installing encryption software on their computers. It is the
responsibility of each workstation owner and the associated department head to
ensure that systems under their custodianship are encrypted.

*l.There
may be instances in which a device, or group of devices, may need to be
exempted from the encryption standard (e.g., a computer lab that is imaged on a
regular basis). In these cases, a formal encryption exception request form must
be submitted for approval. Department computing resources that need to be
exempted from encryption or have encryption configured should direct requests
to itac@txstate.edu. The ISO, or designee, will review and
authorize exemption requests. Approved exemptions are valid for 365 days.
Owners may appeal denied exemption requests to the vice president for
Information Technology, whose decision is final.

*m.
Confidential information shall not be shared, exposed or transmitted via any
peer-to-peer (P2P) file sharing mechanism prior to completion of a
comprehensive risk assessment, including penetration testing, of the proposed
P2P file sharing mechanism by IT Security.

A
university-assigned network identifier (e.g., NetID or Texas State ID number)
and its corresponding “secret” (e.g., a password/PIN or smartcard or token)
shall be used to accomplish the authentication. Based upon security risk
assessment, information resources that contain sensitive or confidential information
may require the use of two-factor authentication where one factor is provided
by a device separate from the computer gaining access. The network identifier
shall be unique to an individual in all cases except for authorized “service”
accounts that must be accessible to a team of custodians charged with
supporting a breadth of resources (see NIST 800-53 AC).

In the
event that a legacy or administrative system is incapable of meeting all
requirements for user passwords, alternative mitigating security controls shall
be implemented in place of these requirements with approval from the ISO, or
designee.